Strong IT security often comes at the cost of a positive user experience. Stringent security requirements put in place to protect users often create friction. Now, with the emergence of passwordless authentication, organizations can maximize security while minimizing friction.
However, many security professionals don’t completely grasp how passwordless authentication works, nor how it contributes to a frictionless experience. Let’s explore the what, why, and how of removing passwords to improve both user experience and an organization’s overall security.
The Starting Point: Is a Password Actually Necessary?
The first hurdle organizations must address is their potential discomfort with a passwordless world. Passwords are the status quo we take for granted. They are familiar and we know how to use them.
But passwords are also easy to compromise—and all too often easy to guess, especially as we find ourselves using the same passwords for multiple logins. And why wouldn’t we? There are so many things that require a password; estimates are the average user has about 200 passwords and could have double that amount by 2023. The sheer volume of accounts requiring passwords puts users at risk simply because there’s too many to keep track of. According to the Verizon 2019 Data Breach Investigations Report, 80% of major data breaches are caused by weak or compromised passwords. Such breaches result in extreme financial loss, downtime, and reputational damage.
Whichever path an organization takes to strike the right balance of security, usability, and cost, the route will be much easier if they team with a trusted channel partner who can help them identify their security needs and access requirements.
One approach some companies are taking to mitigate risk is requiring increased password complexity and automatically shortening a password’s lifespan. But that could make the problem even worse, with users being locked out due to password expiration or needing to have passwords reset. While this may be less of a concern for the enterprise, SMBs understand that mitigating such extraneous costs can make a world of difference.
Given the security risks, usability problems, and potential added costs that passwords present, passwordless authentication morphs beyond just a good idea. It should become an imperative.
What Does “Passwordless” Really Mean?
What is it? And what’s the overall objective? Secret Security Wiki defines passwordless authentication as, “any method of verifying the identity of a user that does not require the user to provide a password.”
Those who spend time in the security weeds may read that loud and clear, but what makes the idea of passwordless authentication so confusing is its inability to fit into any one particular box. More familiar terms like multifactor authentication (MFA) or single sign-on (SSO) are clearly defined products or technologies. Passwordless authentication, in contrast, is a desired outcome. And the goal of going passwordless is to implement technologies that reduce—and ideally, eliminate—the use of passwords altogether.
Understanding that difference—goal vs. product—is the first step toward making the shift to a passwordless approach much less intimidating. Once organizations and leadership understand that passwordless is the goal, and that the journey can be tailored to their needs, their IT service provider can begin to implement the technology and strategies that support it.